• No results found

Some Responses by W J Caelli, AO to: Cloud Computing Consumer Protocol : ACS Cloud Discussion Paper, July Part 1.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Some Responses by W J Caelli, AO to: Cloud Computing Consumer Protocol : ACS Cloud Discussion Paper, July Part 1."

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

21 Castle Hill Drive South, Gaven. Qld. 4211. Australia. Phone: +61 – 7 5502 2978 Mobile/Cell: +61 – 414 987 952 Email: [email protected] 2 September 2013

Some Responses by W J Caelli, AO to:

Cloud Computing Consumer Protocol : ACS Cloud Discussion Paper, July 2013 Part 1.

“How sweet to be a cloud Floating in the blue !

Every little cloud Always sings aloud.”

A. A. Milne, “Winnie-the-Pooh”, Methuen & Co. Ltd., 1926

Question 1. Do you believe a voluntary protocol in which cloud suppliers provide undertakings and information about their services would improve confidence in the market and increase the adoption and take-up of cloud computing services?

Voluntary Protocols.

The main concept here is one of preference for “light touch” legislation and “voluntary”

commitments. The simple fact is that a broad principle of “evidence based” policy development must provide solid factual backing that such an approach has, does and will work. It is submitted that no such evidence exists.

Action:

Solid evidence must be provided that a “voluntary protocol” would be effective.

Value Proposition

It has to be clearly demonstrated that appropriate savings, and any allied statements of benefits apply to the adoption of “cloud services”, particularly by small to medium enterprises (SMEs)

(2)

and even large scale public and private sector enterprises. It is very unlikely, indeed really

impossible, that any commercial enterprise will ever state that its value proposition is not the best one available and that an alternative approach offers better value.

Very similar statements were common in the 1970s and 1980s in relation to the then equivalent of “cloud services”, viz. “time-sharing services”, offered by a number of large groups such as GEISCO, Tymnet, IBM Service Bureau Corporation, etc. often using exactly the same

technological base now available from cloud service providers, viz. “virtual machine” structures accessed through data networks.

The “microcomputer revolution” questioned both the business and economic models and bases of these services and the home/SME/corporate user moved rapidly towards the PC as a better and more cost effective solution. The “time sharing” services were shown NOT to be cost effective and the resultant massive uptake of the PC, and PC based servers, as a business tool resulted. Today, for a capital investment of well under $2,000 any SME can easily obtain a computer system with enough capacity to handle any business requirement including necessary backup and allied resilience needs, e.g. UPS (Uninterruptable Power Supply), backup storage, etc.

Moreover, the penetration of “open source” software systems, both system and application levels, into this business area has also been of note in 2012/2013 as the move to “tablet” based systems takes on a new imperative.

Action:

The use of “evidence based policy development” principles (Prime Minister Ruddi) must be clear and documented.

Undertakings

Without legal and regulatory backing any undertaking or like provision of information may have little credibility. For example, such undertakings in the pharmaceutical, motor vehicle, air services and like industries are clearly governed by an appropriate legal and regulatory regime. Dependence on broad consumer protection legislation has proven to be insufficient.

Acknowledging that the national information infrastructure is no less important than, and may even be more critical to, the well-being of the nation, non-legally binding declarations may just devolve into marketing documents. This is particularly true in relation to the security and

resilience of any offering as well as the clear indication of relevant legal regimes under which the vendor operates.

Unbalanced Contracts and Information : Understanding and Appreciation

By their very nature “cloud computing” contracts will be unbalanced in that the vendor has far greater knowledge of the offering than the potential customer. This matter was clearly

(3)

“ Knowledge imbalance opens door to exploitation, says ICAC. Senior executives in the NSW public service feel vulnerable to corruption due to a lack of understanding of specialist IT contract work, according to the Independent Commission Against Corruption (ICAC).”ii

It also came to the fore in the UK recently as follows:

“Government leaders lack tech knowledge, says US cyber expert. ..Many government leaders are not informed and familiar with technology, according to Scott Borg, director and chief

economist at the US Cyber Consequences Unit, an independent research institute....’This leads to wrong decisions, such as investing in technology solutions that are useless, or financing research that will never produce results,’ he told FutureGov.” iii

Summary:

There is no evidence that such an approach has, does or will work to provide

the levels of assurance desired.

Question 2a). If you are a potential user of cloud services, do you now have a better

understanding of cloud computing and its benefits for your business or operations? What further information do you need to feel confident in deciding to adopt cloud services into your business? b). If you are a provider of cloud services, is the description above of cloud services and the outline of its benefits accurate and comprehensive for prospective users who may know little of the details of cloud computing?

Understanding:

There is little to help any such understanding in the associated documents over just “brand trust”. For example, there is a vast difference in security and resilience structures between cloud

services hosted on mainframe systems versus those based on microprocessor based server units. This was clearly pointed out over 10 years ago by researchers at the USA’s Naval Postgraduate School in the following paper:

“Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor.” by John Scott Robin, U.S. Air Force and Cynthia E. Irvine, Naval Postgraduate School

Indeed, while changes in the base CPU architecture of Intel microprocessors have occurred full and resilient isolation of computing processes and data in such a shared environment as a “cloud services” must be assured by any vendor. The use of mainframe system for such assurance of security has been known for over 40 years. ( See IBM System/360-67, VM-67 operating system).

(4)

This is further examined in an IBM document entitled:

“Consolidated security management for mainframe clouds.”, IBM Feb 2012.

A concrete example in this area is the use, by cloud vendors, of HSMs (Hardware Security Modules) for the provision of all encryption services. This is by no means guaranteed and the implications may not even be understood by the potential client. Similar concerns apply to use of appropriate data network/Internet/WWW facilities wherein all virtual machines in a scheme may share the Internet interface to the system, e.g. use of a common DNS (Domain Name System) resolver, etc.

The user and even the vendor alike need to understand and be able to easily manage the security and resilience parameters involved. This is NOT the case at present for cloud services.

Summary:

Cloud contracts are inherently based upon unequal knowledge and expertise

with the vendor usually having a major advantage over any client. “Brand

trust” thus comes into play as the only recourse for most clients. This

necessitates the need for a solid legislative process backing a set of industry

standards.

Additional Comments: Cloud Systems Training, Education and Research in Australia. The recent (August 2013) “Academic Ranking of World Universities in Computer Science” did not find one Australian university worthy of ranking in its top 100. Australia then had four in the 101-150 area. A cursory overview of courses available in Australian universities in relation to “cloud systems” shows both an almost total lack of such courses coupled with a cursory

overview and/or application oriented approach, e.g. appropriate course at the Queensland University of Technology. Indeed, a deep technological / scientific understanding of cloud systems architecture and management is simply missing to enable any consumer of such services to be able to adequately judge what is being offered.

Summary:

Training, education and research in the cloud systems area, particularly in

regard to safety and security, is missing in Australia.

The problem is the perception of cloud systems, from a privacy and security viewpoint, that is similar to that of Pooh Bear in that the cloud “always sings aloud”. In other words, privacy and

(5)

       i

Rudd, K.; "Policy innovation and evidence-based policy-making is at the heart of being a reformist government.”

http://www.smh.com.au/business/rudds-vision-for-the-bureaucrats-20080504-2au6.html#ixzz2dbw69pAh Accessed 1 Sept 2013.

ii

URL http://www.itnews.com.au Accessed 22 August 2013.

iii

Ashford, W.; URL http://www.computerweekly.com , Tuesday 27 August 2013

Regards,

--- Emeritus Professor William J (Bill) Caelli, AO

PhD, B.Sc (Hons), FACS, FTICA, Fellow ISC2, Sen MIEEE, Hon. CISM Director - International Information Security Consultants Pty Ltd

Member - Independent Scholars Association of Australia Adjunct Professor - Griffith University and the

Queensland University of Technology

Email: [email protected] -or – [email protected] International Phone: IISEC : +61-7-55022978 QUT: +61-7-31389451 Mobile/Cell: +61-414 987 952 National Phone: IISEC: 07-55022978 QUT: 07-31389451 Mobile/Cell: 0414 987 952 URL:

IISEC: http://www.iisec.com.au QUT: http://staff.qut.edu.au/staff/caelli/ ---

References

Download now ( PDF - 5 Page - 57.37 KB )

Related documents

Subj: MILITARY PERSONNEL EXCHANGE PROGRAM DEPLOYMENTS

Contingency operation deployments for which SECDEF has not delegated approval to SECNAV shall be routed to the Under Secretary of the Navy (UNSECNAV) as described in subparagraph

Wind Tunnels and the ATI Technology Infrastructure Strategy

• University of Cambridge Supersonic Wind Tunnel 1&2* • City University T5 Transonic Wind Tunnel*. • University of Manchester Polysonic

Airport Competition in Europe

Chapter 6 brings the evidence together and provides an assessment of the overall degree and direction of airport market power. Five indicators are applied to assess the strength

1. TENDER DESCRIPTION

10 crores or more and experience of minimum three years or more to establish and operate computerised ticketing system on contractual basis at the National

Temporal and spatial variation of limnological variables and biomass of different macrophyte species in a Neotropical reservoir (São Paulo - Brazil)

The heterogeneity of the ecosystem due to spatial variation of environmental variables may be more important than seasonal variation to predict the occurrence of different

Hyperspectral image compression : adapting SPIHT and EZW to Anisotropic 3-D Wavelet Coding

JPEG 2000 with the multicomponent wavelet transform as well as the adaptation of EZW and SPIHT algorithms are applied to hyperspectral data cubes from NASA/JPL airborne sensor

An objective compliance analysis of project management process in main agile methodologies with the ISO/IEC 29110 entry profile

element (Role, Activity-Task or Work Product) of the ISO/IEC 29110 standard Entry Profile. Because none reference in the literature was found on a distribution of weights, the

RANGER COLLEGE ASSOCIATE DEGREE IN NURSING PROGRAM. Course Syllabus for: RNSG 2535 Integrated Client Care Management Fall. Barbara Rhine, MSN, RN

Determine the physical and mental health status, needs, and preferences of culturally, ethnically, and socially diverse patients and their families based upon interpretation of